spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 08:01:17 +00:00

History

A 7801c263bb security: verify symlink targets before overwrite in install.sh (#2404 ) Before creating symlinks in /usr/local/bin, verify that any existing symlink points to a safe location ($HOME/.local/, $HOME/.bun/, /usr/local/, $HOME/.npm-global/). If a symlink points to an unexpected location, warn the user and skip to prevent malicious symlink persistence through reinstalls. Uses portable `readlink` (without -f) for macOS bash 3.2 compatibility. Fixes #2402 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-03-09 18:37:58 -07:00
..
install.ps1	refactor: remove packages/shared, deduplicate with CLI shared (#2257 )	2026-03-06 21:58:42 -05:00
install.sh	security: verify symlink targets before overwrite in install.sh (#2404 )	2026-03-09 18:37:58 -07:00

security: verify symlink targets before overwrite in install.sh (#2404 )

Before creating symlinks in /usr/local/bin, verify that any existing
symlink points to a safe location ($HOME/.local/*, $HOME/.bun/*,
/usr/local/*, $HOME/.npm-global/*). If a symlink points to an
unexpected location, warn the user and skip to prevent malicious
symlink persistence through reinstalls.

Uses portable `readlink` (without -f) for macOS bash 3.2 compatibility.

Fixes #2402

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-03-09 18:37:58 -07:00

install.ps1

refactor: remove packages/shared, deduplicate with CLI shared (#2257 )

2026-03-06 21:58:42 -05:00

install.sh

security: verify symlink targets before overwrite in install.sh (#2404 )

2026-03-09 18:37:58 -07:00